system auditor role

[jctanner]

https://issues.redhat.com/browse/AAP-24730

replaces #2157

[root@35f0b6ad6e2c src]# pulpcore-manager shell < script.py 

Collection Namespaces
        ADD :: 467 :: Can view namespace :: view_namespace

Collections
        ADD :: 17 :: Can view collection :: view_collection
        ADD :: 29 :: Can view ansible repository :: view_ansiblerepository

Users
        no changes needed

Groups
        no changes needed

Collection Remotes
        no changes needed

Ansible Repository
        no changes needed

Execution Environments
        ADD :: 161 :: View any push repository in a namespace :: namespace_view_containerpushrepository
        ADD :: 135 :: Can view container repository :: view_containerrepository
        ADD :: 154 :: Can view container namespace :: view_containernamespace
        ADD :: 508 :: Can view container namespace :: view_containernamespace
        ADD :: 157 :: View any distribution in a namespace :: namespace_view_containerdistribution

Container Registry Remotes
        ADD :: 500 :: Can view container registry remote :: view_containerregistryremote

Task Management
        no changes needed

[AlanCoding]

If you add a new permission here, would you need to add it to existing roles like galaxy.collection_namespace_owner which currently offers galaxy.change_namespace? Would some other API access logic need to be rewritten to utilize the new permission?

[jctanner]

@AlanCoding I was pointed to this file just last night and I don't fully know how it works.

[newswangerd]

@AlanCoding @jctanner This file should contain the set of permissions that we actually care about for enforcement. The problem is that pulp/django ship with a huge pile of random permissions, most of which we don't care about. galaxy.view_namespaces is a good example. Namespaces are always readable by everyone who is authenticated. We don't want to expose that permission to the UI or to users because adding it to a role does nothing.

@AlanCoding this is why I was so against using django permissions for DAB RBAC. It's practically impossible to get a full list of permissions that are actually enforced and actually do something in the system.

[AlanCoding]

This led to me file ansible/django-ansible-base#457. But it should be super minor, I want to declare a change is probably necessary in DAB RBAC for the documented reasons, but I'm completely confident that won't be challenging to do. We've just haven't done it yet.

[newswangerd]

A lot of the permissions you've added here don't actually do anything. Namespaces, for example, are viewable to everyone who is authenticated. We don't have the notion of a private namespace. I'd like to keep this file limited to the set of permissions that are actually enforced.

I think these will start to make sense once we fully integrate organizations, but for now this will just make the UI confusing.

[jctanner]

I need a discrete list of what's needed in that case. I had to write a script to find the missing "read" perms for each category because there's no pointers otherwise.

[newswangerd]

This file is the discrete list of what's needed. That's why I sent it to you. These are the permissions we care about.

[newswangerd]

Why did you comment this one out? We do support private repositories, so view permissions here should matter.

[jctanner]

Because this data structure is a dictionary and the key can only have one instance, which makes it impossible to add the same key to multiple categories.

[newswangerd]

Why does this need to be added to multiple categories?

[jctanner]

replaced by #2168